iiMiiiiiwiiiiiHiioiiuiiiiw 

(id EP 0 957 606 A2 

(12) EUROPEAN PATENT APPLICATION 

(43) Date of publication: (51) Int CI. 6 : H04L 9/08 

17.11.1999 Bulletin 1999/46 

(21) Application number: 99303550.0 



(22) Date of filing: 06.05.1999 



(84) Designated Contracting States: 


(72) Inventor: Hara, Kazuhiro 


AT BE CH CY DE DK ES Fl FR GB GR IE IT LI LU 


Shinagawa-ku, Tokyo (JP) 


MC NL PT SE 




Designated Extension States: 


(74) Representative: Pratt, Richard Wilson et al 


AL LT LV MK RO SI 


D. Young & Co, 




21 New Fetter Lane 


(30) Priority: 12.05.1998 JP 12921498 


London EC4A 1DA (GB) 


(71) Applicant: SONY CORPORATION 




Tokyo 141 (JP) 





(54) Encrypted data transmission over satellite links 



(57) A data transmission system permits secure and which are also used for transmitting data from the data 
more reliable transmission of data from a data transmit- receivers to the data transmitter and which have a small- 
ter (2) to a data receiver or receivers (3a, 3b, 3c). The er capacity of data transmission than the satellite links, 
system comprises: a data transmitter (2) for encrypting The satellite links (4, 4a) are used to transmit encrypted 
data and transmitting the encrypted data; data receivers data from the data transmitter to the data receivers. At 
(3a, 3b, 3c) for receiving the encrypted data from the least the bidirectional communication channels (9) are 
data transmitter; satellite links (4, 4a) used for data used to communicate restrictive data transmission con- 
transmission from the data transmitter to the data re- trol information between the data transmitter (2) and the 
ceivers; and bidirectional communication channels (9) data receivers (3). 




Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 




1 



EP 0 957 606 A2 



2 



Description 

BACKGROUND OF THE INVENTION 
Field of the Invention 

[0001] The present invention relates to a data trans- 
mission controlling method and a data transmission sys- 
tem. 

[0002] An embodiment of the invention concerns con- 
trolling transmission of data from a data transmitter to a 
data receiver. More particularly, = the embodiment con- 
cerns a data transmission controlling method and a data 
transmission system for limiting the reception of trans- 
mitted data from a data transmitter to a specific data re- 
ceiver. 

Description of the Related Art 

[0003] In recent years, network type data transmis- 
sion systems which allow a data transmitter to transmit 
data to a plurality of remotely located data receivers 
have been established. For example, satellite television 
broadcasting is implemented as a broadcast data trans- 
mission system utilizing satellite links to distribute video 
and audio information to a plurality of data receivers. 
[0004] Another example of the broadcast data trans- 
mission system is the Ethernet that is set up as a local 
area network (LAN). As shown in Fig. 1 , an Ethernet net- 
work is typically constituted by a data transmitter 351 for 
transmitting data and by data receivers 352a and 352b 
for receiving data from the data transmitter 351 over a 
network 353. A maximum allowable distance between 
data receivers on the Ethernet is set for several kilom- 
eters. 

[0005] Where it is desired for the data transmitter 351 
in the above data transmission system to transmit data 
to the data receiver 352a, the data transmitter 351 plac- 
es the data onto the network 353. The transmitted data 
are supplemented with a destination address identifying 
the destination data receiver 352a. Illustratively, 48 bits 
are used to express a large volume of destination ad- 
dress information. 

[0006] The data placed by the data transmitter 351 
onto the network 353 are received by the data receivers 
352a and 352b alike. Each data receiver references the 
destination address attached to the received data to see 
if the address corresponds to its own address. A typical 
frame format used by the Ethernet is structured as 
shown in Fig. 2. In this format, a destination address part 
401 designates the address of the destination data re- 
ceiver that should receive the data. 
[0007] If a given data receiver judges that the received 
address is not its own, the receiver discards the trans- 
mitted data. That is, the data receiver 352a judging the 
address attached to the data to be its own accepts the 
transmitted data, while the data receiver 352a failing to 
detect its own address in the received data discards the 



data. On the Ethernet, a data receiving process by a da- 
ta receiver typically proceeds as shown in the steps con- 
stituting a flowchart of Fig. 3. 

[0008] In step S101, the data receiver receives an 
s Ethernet frame containing data from a local area net- 
work. In step S102, the data receiver extracts a desti- 
nation address from the received Ethernet frame. In step 
S103, the data receiver checks to see if the destination 
address is its own address (unicast address) or an ad- 
io dress to which it belongs (multicast address). If the des- 
tination address turns out to be the data receiver's own 
address (unicast address) or an address to.which it be- 
longs (multicast address), the data receiver transmits 
the Ethernet frame to a host computer. A unicast ad- 
15 dress signifies an address destined for an individual re- 
ceiver, and a multicast address is an address allowing 
a plurality of data receivers (e.g., a data receiver group) 
to receive the data transmitted in conjunction with the 
address. 

20 [0009] If the destination address turns out to be nei- 
ther the address destined for the data receiver in ques- 
tion (unicast address) nor an address to which the data 
receiver belongs (multicast address), then the data re- 
ceiver discards the Ethernet frame. 

25 [0010] According to the above method of data trans- 
mission based on the destination address scheme, any 
data receiver whose address does not match a trans- 
mitted destination address is supposedly incapable of 
receiving the data furnished with the address. With that 

30 data transmission method in effect, however, a data re- 
ceiver may have its address and its judging feature mod- 
ified unscrupulously so as to accept otherwise destined 
data, i.e., data without the destination address identify- 
ing the data receiver in question. Such a possibility pos- 

35 es a security problem when confidential data need to be 
transmitted to a specific data receiver. 
[0011] Over the Ethernet, the number of data receiv- 
ers connected to the same network is limited, and so 
are the distances between the connected receivers. 

40 That means there is only a limited possibility that data 
sent to one data receiver may be tapped illicitly by an- 
other data receiver. Illustratively, under a typical Ether- 
net scheme of 10BASE-5, the maximum length of ca- 
bles for one segment is limited to 500 meters and the 

45 number of transceivers (data transmitter-receivers) con- 
nectable to the network is set for up to 100. 
[0012] Meanwhile, if a data transmission network is 
structured using satellite links, one network can cover 
an area wider than the whole country such as Japan. 

so On such a network, data transmitted to a data receiver 
on the northernmost island of Hokkaido can be tapped 
by a data receiver in the southernmost Okinawa Prefec- 
ture. That is, on any satellite link-based network to which 
a large number of data receivers are configured, there 

ss is an increased possibility of data being illicitly tapped 
by unintended parties. 

[001 3] In a data transmission setup utilizing broadcast 
type communication channels such as satellite links, un- 
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treated data can be received not only by the intended 
data receiver but also by those not supposed to receive 
the data in question. One solution to this problem with 
today's digital data broadcasting systems using a com- 
munication satellite is the encryption of data (i.e., prima- 5 
rily video and audio information) prior to their transmis- 
sion over satellite communication links. Data receivers, 
for their part, have a decrypting function to reconstitute 
the original data. In that type of data transmission sys- 
tem, only those data receivers authorized beforehand 10 
to receive data can decrypt the transmissions for audio- 
visual.consumption. One such.system is based on Be?, 
port No. 74 by the Telecommunications Technology 
Council (Japan). As its transmission format, the system 
utilizes MPEG2 (Moving Picture Experts Group Phase 15 
2) transport stream packets (TS packets). Illustratively, 
the system has its data transmitter encrypt data using 
encryption keys and has its data receivers decrypt the 
encrypted data using decryption keys corresponding to 
the encryption keys. The format of the TS packet is 20 
shown in Fig. 4. A PID (packet identification) part 411 
and a scramble control part 412 in the header of the for- 
mat determine encryption keys. Typically, the encryption 
keys include a session key Ks and a work key Kw. The 
PID part 411 makes up 13-bit data and the scramble 2s 
control part 412 constitutes two-bit data. 
[001 4] A data transmission system in the existing sat- 
ellite television broadcast setup transmitting data in the 
TS packet typically comprises a data transmitter 501 
and a data receiver 511 as depicted in Fig. 5. The data 30 
transmitter 501 has encryption units 502, 503 and 504 
that carry out data encryption using various encryption 
keys. The data receiver 511 has decryption units 512, 
51 3 and 514 that perform data decryption using various 
decryption keys, and an authorization judging unit 515. 35 
[0015] In the data transmission system of the above 
structure, the data transmitter 501 first transmits a work 
key Kw 506 to the data receiver 511. Specifically, the 
data transmitter 501 prepares in advance the work key 
Kw 506 corresponding to the PI D part 41 1 and scramble 40 
control part 412. The data transmitter 501 then gets the 
work key Kw 506 encrypted by the encryption unit 504 
using a master key Km 507. The encrypted work key Kw 
506 is transmitted to the data receiver Tv. 1 . The master 
key Km 507 is identical to a master key (decryption key) 4 $ 
Km 51 8 specific to the data receiver 51 1 . The encrypted 
work key Kw 506 is transmitted from the data transmitter 
501 to the data receiver 511 over a satellite link. 
[0016] On receiving the work key Kw 506 encrypted 
with the master key Km 507, the data receiver 511 de- so 
crypts the received key using its own master key Km 
518. The decrypted work key Kw 517 is preserved by 
the data receiver 511 in correspondence with the PID 
part. The work key Kw 517 is used to decrypt encrypted 
data coming from the data transmitter 501 . 55 
[0017] Upon data transmission from the data trans- 
mitter 501 to the data receiver 511 , the data transmitter 
501 has a payload part 413 of data in the TS packet 



encrypted by the encryption unit 502 using a session 
key Ks 505. At the same time, the session key Ks 505 
is encrypted by the encryption unit 503 using the work 
key Kw 506. 

[0018] Upon receipt of the TS packet with its PID part 
identifying the data receiver 511 as the destination, the 
data receiver 511 extracts the previously preserved 
work key Kw 51 7 based on the PI D part 41 1 in the trans- 
mitted TS packet. Using the extracted work key Kw51 7, 
the data receiver 511 decrypts the encrypted session 
key Ks 505 transmitted together with the data Irom the 
data transmitter 501 . By use of the session Ks 516 key, 
thus decrypted, the data receiver 511 decrypts the pay- 
load part 41 3 in the TS packet to extract the data there- 
from. 

[0019] Unauthorized data receivers do not possess 
the appropriate work key Kw corresponding to the PID 
part of interest because the work key Kw has not been 
sent to these data receivers. Such data receivers are 
incapable of decrypting the session key Ks that the data 
transmitter 501 has transmitted following key encryption 
using the work key Kw. With the session key Ks not de- 
crypted, the unauthorized data receivers cannot decrypt 
the encrypted data from the data transmitter 501 . In oth- 
er words, the unapproved data receivers can receive en- 
crypted data but cannot decrypt the data for audio-visual 
consumption. 

[0020] The above broadcasting system utilizing satel- 
lite links typically implements restrictive data transmis- 
sion control as described. Various other methods of re- 
strictive data transmission control are also practiced not 
only by broadcasting systems but also over, say, the In- 
ternet. 

[0021] On the Internet, PGP (Pretty Good Privacy) 
and PEM (Privacy Enhanced Mail) are illustratively used 
to encrypt electronic mail against eavesdropping or fal- 
sification by unscrupulous parties. Also employed on the 
Internet is SSL (Secure Socket Layer) designed to fore- 
stall illicit tapping of credit card numbers transferred in 
electronic commerce based on HTTP (Hyper Text 
Transfer Protocol). These schemes are characterized 
by the use of an encryption system or by the adoption 
of flexible data transmission control's: 
[0022] There exist more generalized data transmis- 
sion control methods targeted for IP (Internet Protocol) 
datagrams. Standardized methods of this kind include 
AH (Authentication Header) and ESP (Encapsulating 
Security Payload) generically called IPSEC. 
[0023] The following problems have been generally 
experienced in connection with television broadcasts 
utilizing satellite links: 

[0024] A first problem is the limited number of author- 
ized data receivers. As shown in Fig. 4, the PID part and 
the scramble control part for identifying encryption keys 
comprise only 13 bits and two bits respectively. That 
means 15 bits are employed to specify only up to 2 15 (= 
32,768) data receivers. 

[0025] A second problem is the increase in costs on 



45 



so 



3 



<EP 0957606A2_I_> 



5 



EP 0 957 606 A2 



6 



the transmitting side in keeping with a growing number 
of PIDs in use. Illustratively, data receivers need as 
many MPE2 encoders as are approximately proportion- 
al to the number of PIDs. Thus along with an increased 
PID count have come increased costs on the data trans- 
mitter side that requires installing large-scale facilities. 
[0026] A third problem is the inability of the data trans- 
mitter in one-way data transmission over satellite links 
to know whether information has been correctly trans- 
mitted to destination data receivers. For example, there 
may be cases where, without the knowledge of the data 
transmittal data receivers. cannot actually receive data 
therefrom despite their authorized status. However, at- 
tempts to transmit information more reliably to data re- 
ceivers take time. This can involve wasteful consump- 
tion of a lot of resources, which causes the reliable yet 
time-consuming scheme to become an impediment to 
flexible data transmission control. 
[0027] A fourth problem concerns a poor affinity with 
the Internet Protocol when an IP datagram must be 
transmitted with its PID adjusted to an IP destination ad- 
dress by the data transmitter. More specifically, the des- 
tination address of an IP datagram has a 32-bit address 
format that is difficult to adjust with respect to the 1 3-bit 
PID part. Furthermore, the above method currently used 
on the Internet has a fifth problem: PGP, PEM and SSL 
are application-specific data transmission controls and 
are not common to all applications on the Internet. The 
need for each application to be provided with its own 
controlling method makes prompt handling of newly in- 
troduced applications difficult. 

[0028] A sixth problem is that while the authentication 
header and encapsulating security payload are applica- 
tion-independent, there are virtually no network devices 
compatible with these methods at the level of the current 
version of the Internet Protocol (e.g., IP v4). While the 
next version of the Internet Protocol (e.g., IP v6) allows 
AH and ESP to be used on the Internet in standardized 
fashion, they are considered practically unusable over 
the existing Internet. 

SUMMARY OF THE INVENTION 

[0029] An embodiment of the present invention seeks 
to provide a data transmission controlling method and 
a data transmission system whereby data transmission 
from a data transmitter to data receivers is carried out 
in a more secure and a more reliable manner than be- 
fore. 

[0030] According to one aspect of the present inven- 
tion, there is provided a data transmission controlling 
method comprising the steps of: transmitting data en- 
crypted by data transmitting means to data receiving 
means over a first communication channel provided for 
data transmission from the data transmitting means to 
the data receiving means; and transmitting to the data 
receiving means restrictive data transmission control in- 
formation for causing the encrypted data from the data 



transmitting means to be received solely by specific data 
receiving means at least over a second communication 
channel which, having a smaller capacity of data trans- 
mission than the first communication channel, is also 
5 used for data transmission from the data receiving 
means to the data transmitting means. 
[0031] With this data transmission controlling method 
in use, the data transmitting means transmits data over 
the first communication channel to the data receiving 

io means. Restrictive data transmission control informa- 
tion may be exchanged at least over the second com- 
munication channel between the. data transmitting 
means and the data receiving means. 
[0032] By the data transmission controlling method 

15 above, the data transmitting means may transmit data 
including restrictive data transmission control informa- 
tion to the data receiving means over the first and the 
second communication channel. Over the second com- 
munication channel, information about data exchanges 

20 between the data transmitting means and specific data 
receiving means may be sent therebetween. 
[0033] Illustratively, the method above allows the data 
transmitting means to know whether the data sent to 
specific data receiving means have been correctly re- 

25 ceived thereby. 

[0034] According to another aspect of the invention, 
there is provided a data transmission system compris- 
ing, a first communication channel used for data trans- 
mission from data transmitting means to data receiving 

30 means; and a second communication channel permit- 
ting bidirectional communication between the data 
transmitting means and the data receiving means: 
wherein the first communication channel is used to 
transmit encrypted data from the data transmitting 

35 means to the data receiving means; and wherein at least 
the second communication channel is used to transmit 
restrictive data transmission control information for 
causing the encrypted data from the data transmitting 
means to be received solely by specific data receiving 

40 means. 

[0035] In the data transmission system of the above 
structure, the data transmitting means transmits data 
over the first communication channel to the data receiv- 
ing means. Restrictive data transmission control infor- 
ms mation is exchanged over the second communication 
channel between the data transmitting means and the 
data receiving means, the second communication chan- 
nel being at least used for data transmission from the 
data transmitting means to the data receiving means 
50 and having a smaller capacity of data transmission than 
the first communication channel. 

[0036] In the data transmission system above, the da- 
ta transmitting means may transmit data including re- 
strictive data transmission control information to the da- 
55 ta receiving means over the first and the second com- 
munication channel. Over the second communication 
channel, information about data exchanges between 
the data transmitting means and specific data receiving 
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means may be transmitted therebetween. 
[0037] Illustratively, the system above allows the data 
transmitting means to know whether the information 
sent to specific data receiving means have been cor- 
rectly received thereby. 

[0038] According to a further aspect of the invention, 
there is provided a data transmission controlling method 
comprising the steps of: encapsulating data to be trans- 
mitted from data transmitting means to data receiving 
means in multiplexed fashion in accordance with a plu- 
rality of protocols; and encrypting at least one of data 
capsules resulting from the encapsulation., 
[0039] With the above data transmission controlling 
method in use, data to be transmitted from the data 
transmitting means to the data receiving means are en- 
capsulated in multiplexed fashion in keeping with a plu- 
rality of protocols. 

[0040] The method allows data to be transmitted with 
related protocol requirements kept intact. That means 
data may be transmitted while retaining their compati- 
bility with specific protocols. When data are encapsulat- 
ed in keeping with a protocol to secure a space in which 
to store the data in question, there is provided a data 
space in which to accommodate various kinds of infor- 
mation. Encrypting the encapsulated data ensures fur- 
ther security. 

[0041] Illustratively, data may be encapsulated in ac- 
cordance with a protocol that can accommodate specific 
data. The encapsulating process provides a sufficient 
space to store information such as encryption keys 
about destination addresses. The destination address 
information is substantially increased compared with the 
conventional TS packet scheme under which the ad- 
dress information is written to the PID part and the 
scramble control part. This eliminates the need for ex- 
panding the PID part. 

[0042] In addition, there is no need for each applica- 
tion to be provided with its own controlling method. This 
means that newly introduced applications are promptly 
dealt with. Furthermore, the authentication header (AH) 
and the encapsulating security payload (ESP) are al- 
lowed to be used on the existing Internet. 
[0043] According to an even f urther aspect of the in- 
vention, there is provided a data transmission control- 
ling method comprising the steps of: encrypting data us- 
ing an encryption key; supplementing the encrypted da- 
ta with encryption key information about the encryption 
key used to encrypt the data in question; transmitting 
the encrypted data together with the encryption key in- 
formation from data transmitting means to data receiv- 
ing means; and decrypting the encrypted data using one 
of a plurality of decryption keys which allow the data re- 
ceiving means to decrypt the encrypted data and which 
are updated frequently, that one of the decryption keys 
being selected in accordance with the encryption key 
information attached to the encrypted data. 
[0044] By the method the data encrypted in the data 
encrypting step using the encryption key are furnished 



with encryption key information about the encryption key 
used to encrypt the data in question. In the data trans- 
mitting step, the encrypted data are transmitted together 
with the encryption key information from the data trans- 

s mitting means to the data receiving means. In the data 
decrypting step, the encrypted data are decrypted by 
use of one of a plurality of decryption keys which allow 
the data receiving means to decrypt the encrypted data 
and which are updated frequently, that one of the de- 

to cryption keys being selected in accordance with the en- 
cryption key information attached to the encrypted data. 
[0045] By the data transmission controlling method, 4 
the data transmitting means encrypts data using an en- 
cryption key. The data receiving means decrypts the en- 

15 crypted data received using one of a plurality of decryp- 
tion keys which are frequently updated. That one de- 
cryption key is selected from among the multiple decryp- 
tion keys by the data receiving means based on the en- 
cryption key information transmitted together with the 

20 encrypted data. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0046] For a better understanding of the present in- 
25 vention, reference will now be made by way of example 
to the accompanying drawings in which: 

Fig. 1 is a schematic view sketching a typical struc- 
ture of a conventional data transmission system; 

30 Fig. 2 is a schematic view illustrating a data struc- 
ture of an Ethernet frame which is used by the con- 
ventional data transmission system in transmitting 
data and which contains a destination address; 
Fig. 3 is a flowchart of steps in which a data receiver 

35 of the conventional data transmission system 
checks to see if an Ethernet frame received over 
the Ethernet contains the receiver's own destination 
address and in which the data receiver performs 
processing subsequent to the destination address 

40 check; 

Fig. 4 is a schematic view of a data structure format 
for a TS packet; 

Fig. 5 is a schematic view showing how a data trans- 
mitter and a data receiver are constituted in the con- 

45 ventional data transmission system; 

Fig. 6 is a schematic view of a data transmission 
system embodying the invention; 
Figs. 7A through 7G are schematic views of data 
which are to be transmitted from a data transmitter 

50 to a data receiver in the data transmission system 

and which are encapsulated in accordance with a 
plurality of protocols; 

Fig. 8 is a block diagram of a data transmitter and 
a data receiver in the data transmission system; 
55 Fig. 9 is a flowchart of steps in which to update a 
session key for encrypting data to be sent from the 
data transmitter to the data receiver; 
Fig. 1 0 is a schematic view showing a data structure 
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of a section header; 
Fig. 1 1 is a correspondence table in which MAC ad- 
dresses are set in correspondence with flags of ses- 
sion keys Ks; 

Fig. 12 is a flowchart of steps in which the data 
transmitter encapsulates data; 
Fig. 13 is a correspondence table in which IP ad- 
dresses are set in correspondence with MAC ad- 
dresses; 

Fig. 14 is a flowchart of steps in which the data re- 
ceiver decrypts received data using a session key 

Ks; 

Fig. 1 5 is a correspondence table in which MAC ad- 
dresses are set in correspondence with session 
keys Ks; 

Fig. 16 is a schematic view depicting a data struc- 
ture holding a TOTALLENGTH field used to extract 
an IP datagram; 

Fig. 1 7 is a schematic view of a first variation of the 
data transmission system; and 
Fig. 1 8 is a schematic view of a second variation of 
the data transmission system. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

[0047] Preferred embodiments of this invention will 
now be described in detail with reference to the accom- 
panying drawings. An illustrative embodiment of a data 
transmission system according to the invention is one 
which limits to a specific data receiver the reception of 
data transmitted by a data transmitter over satellite links. 

[0048] As depicted in Fig. 6, this embodiment of the 
data transmission system controls transmission of data 
from a data transmitter 2 to data receivers 3a, 3b and 
3c over satellite links 4a, leased lines 7 and telephone 
lines 8 serving as communication channels, as well as 
over bidirectional communication channels 9. In the sys- 
tem, the data transmitter 2 encrypts data and transmits 
the encrypted data over the communication channels to 
the data receivers 3a, 3b and 3c. 
[0049] The data transmission system 1 includes the 
communication channels 4a which, by utilizing a com- 
munication satellite 4, act as a first communication 
channel allowing the data transmitter 2 to send data to 
the data receivers 3a, 3b and 3c; and the leased lines 
7, telephone lines 8 and bidirectional communication 
channels 9 serving as a second communication channel 
providing bidirectional communication between the data 
transmitter 2 on one hand and the data receivers 3a, 3b 
and 3c on the other hand. The data transmission system 
1 uses the first communication channel for transmission 
of encrypted data from the data transmitter 2 to the data 
receivers 3a, 3b and 3c, and employs the second com- 
munication channel for transmission of restrictive data 
transmission control information from the data transmit- 
ter to the data receivers. The data transmission system 



10 

1 is connected to the Internet. 

[0050] The restrictive data transmission control infor- 
mation is information which allows a specific data re- 
ceiver or receivers to receive data sent from the data 
5 transmitter 2. In other words, the restrictive data trans- 
mission control information authorizes a specific data 
receiver or receivers to receive the data of interest trans- 
mitted. 

[0051] Using the above-described communication 
10 channels, the data transmitter 2 transmits various data 
to the data receivers 3a, 3b and 3c. The data receivers 
3a, 3b and 3c receive the data coming over the commit 
nication channels. Although the setup of Fig. 6 shows 
only three data transmitters 3a, 3b and 3c, the data 
15 transmission system 1 may in practice comprise be- 
tween hundreds and hundreds of thousands of data re- 
ceivers. 

[0052] What follows is a description of the communi- 
cation channels permitting data exchanges between the 
data transmitter 2 and the data transmitters 3a, 3b and 
3c (generically called the data transmitter 3 hereunder 
if there is no specific need to distinguish the individual 
data transmitters 3a, 3b and 3c from one another). 
[0053] The satellite links 4a are unidirectional circuits 
on the Ku band having a bandwidth of about 30 Mbps. 
The satellite links 4a allow the data transmitter 2 to 
transmit data simultaneously to, say, data transmitters 
distributed all over Japan. 

[0054] The bidirectional communication channels 9 
are installed independently of the satellite links 4a be- 
tween the data transmitter 2 and the data receiver 3. As 
their name implies, the bidirectional communication 
channels 9 permit bidirectional communication between 
the data transmitter 2 and the data receiver 3. As such, 
the bidirectional communication channels 9 are as- 
sumed hereunder to be general-purpose communica- 
tion channels for use in communication over the Inter- 
net. 

[0055] The leased lines 7 are communicating means 
directly connecting the data transmitter 2 with the data 
receiver 3. 

[0056] The Internet 6 provides diverse kinds of infor- 
mation such as video and audio information. An Internet 
service provider 5 attaches the data receiver 3 commu- 
nicatively to the Internet. The data transmitter 2 is as- 
sumed to be connected to the Internet 6. 
[0057] The leased lines 7, telephone lines 8 and bidi- 
rectional communication channels 9 permitting data ex- 
changes between the data transmitter 2 and the data 
receiver 3 have a smaller band capacity than the satel- 
lite links 4a. Generally, the lines 7, 8 and 9 provide a 
bandwidth of several to hundreds of Kbps. 
[0058] The data transmission system 1 is also consti- 
tuted as a so-called restrictive data receiving system al- 
lowing only a specific data receiver or receivers to re- 
ceive data of interest. As such, the data transmission 
system 1 can transmit data to, say, the data receiver 3a 
alone (unicast data distribution), to a group of data re- 
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ceivers 3a and 3b only (multicast data distribution), or 
to all data receivers 3a, 3b and 3c (broadcast data dis- 
tribution). 

[0059] In the data transmission system 1, the data 
transmitter 2 sends data to the data receiver 3 as fol- s 
lows: the data to be transmitted from the data transmitter 
2 to the data receiver 3 are encapsulated as shown in 
Figs. 7 A through 7G. Encapsulation is a process carried 
out by the data transmitter 2 transmitting the data of in- 
terest. In a first encapsulating step, the data to be sent 10 
to the data receiver 3 are encapsulated in accordance 
with a. first protocol. In a second encapsulating step ; the 
data encapsulated as per the first protocol are further 
encapsulated in accordance with a second protocol. 
The encapsulating process involves putting untreated is 
data into capsules (i.e., packets or frames) formed 
based on a transmission format stipulated by a given 
communication protocol. With the data placed into such 
capsules, their transmission becomes controllable. 
[0060] In the first encapsulating step, a capsule is 20 
formed by placing the whole target data to be sent to the 
data receiver 3 into a real data part equipped with an 
additional information part related to the real data part 
in question. The real data part in the capsule is encrypt- 
ed. Below is a more detailed description of the first en- 25 
capsulating step. 

[0061] An IP (Internet Protocol) datagram 1 01 is com- 
posed of data based on the Internet Protocol as indicat- 
ed in Fig. 7A The data in the IP datagram 101 are des- 
tined for the data transmitter 3. A header of the IP dat- 30 
agram includes a destination address identifying the 
destination of the datagram on, say : the Internet. 
[0062] The IP datagram 101 is not limited to being 
structured based on the Internet Protocol; it may be con- 
stituted alternatively in accordance with the Ethernet 35 
protocol. 

[0063] As shown in Figs. 7B through 7D, the data 
transmitter 2 encapsulates the data according to the first 
protocol mentioned above. Illustratively, Multiprotocol 
Encapsulation for DVB (Digital Video Broadcasting) *o 
may be adopted as the first protocol. 
[0064] As shown in Fig. 7B, the data transmitter 2 per- 
forms data encapsulation in accordance with the first' 
protocol first by padding the IP datagram (i.e., adding a 
padding part 1 02) to make the length of the data part an 45 
integer multiple of 64 bits. For example, a padding part 
ofOto 63 bits is suffixed to the IP datagram 101. All bits 
in the padding part are "1 " each. The padding is intended 
to keep the datagram to a predetermined data length 
because the data part is better suited for encryption so 
when its length is an integer multiple of 64 bits. The data 
part placed in the format of the first protocol is called a 
section hereunder. 

[0065] The section supplemented with the padding 
1 02 is then encrypted by the data transmitter 2 as shown ss 
in Fig. 7C. Encryption is carried out by use of encryption 
keys. The encryption keys are session keys (described 
later) used to encrypt information to be sent to the data 



receiver 3. The encryption method adopted here is a 
block encryption method based on the common key 
cryptosystem such as the Triple-DES. The Triple-DES 
encryption is one of today's strongest public key crypto- 
systems and is easy to implement for high-speed en- 
cryption on a hardware basis. This encryption process, 
unlike that of most public key cryptosystems, is fast 
enough to keep up with transmission at rates of as high 
as 30 Mbps. 

[0066] As indicated in Fig. 7D, the data transmitter 2 
supplements an encrypted section data part 104 with a 
section header 103 and a tailer 105 for error detection,^ 
[0067] The encrypted section data part 104 takes on 
a MAC (Media Access Control) frame structure. In the 
process of constituting a MAC frame, a MAC header is 
added to the data part. Referencing the MAC header 
facilitates control over destinations of data placed in the 
frame. Specifically, the MAC frame accommodates the 
destination address of the data receiver authorized to 
receive the data stored in the frame. 
[0068] The section header 1 03 provides a data space 
wide enough to accommodate a 48-bit destination ad- 
dress. More specifically, the section header 103 has the 
MAC header formed therein to retain the destination ad- 
dress. Provision of the data space holding a 48-bit des- 
tination address in the section header 103 resolves the 
first problem mentioned earlier, i.e., the limited number 
of data receivers that may be configured. That is be- 
cause the expanded address space accommodates a 
large quantity of information for identifying encryption 
keys. In addition, the fourth problem mentioned above 
regarding the poor affinity with the Internet Protocol is 
resolved because there is no need to adjust a packet ID 
(described later) of the IP datagram 101 with respect to 
an IP destination address at the time of datagram trans- 
mission. 

[0069] The tailer 1 05 is coded for CRC (Cyclic Redun- 
dancy Checking). CRC is designed for the data receiver 
3 receiving data in a MAC frame to verify whether the 
frame has been normally transmitted over satellite links. 
Illustratively, CRC involves coding in 32 bits. 
[0070] Described so far has been the encapsulation 
of tiata'tb be transmitted Th accorda nee with the first pro- 
tocol. What follows is a description of how the data en- 
capsulated as per the first protocol are further encapsu- 
lated in accordance with the second protocol. 
[0071] Data encapsulation based on the second pro- 
tocol involves dividing into a plurality of packets the data 
encapsulated according to the first protocol. The second 
protocol is a protocol that stipulates the encapsulation 
of data into TS (Transport Stream) packets based on 
MPEG2 (Moving Picture Experts Group Phase 2). The 
TS packets allow various kinds of data such as audio 
and video signals and other data to be multiplexed and 
transmitted over large-capacity digital lines. According 
to the second protocol, the data are encapsulated into 
a plurality of TS packets 106, 107 and 108 as shown in 
Figs 7E through 7G. The TS packets 106, 107 and 108 
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are each made up of a TS header HTS and a TS pay load 
part P. The TS payload part P contains the data that 
have been divided and encapsulated in accordance with 
the first protocol. The TS header HTS of each TS packet 
is composed of a packet ID (PID) part and a scramble 
control part as depicted in Fig. 4. Conventionally, the fact 
that a destination address is written to the PID part and 
scramble control part has limited the scope of destina- 
tion address information. This embodiment eliminates 
that disadvantage because the destination address is 
written to the section header 103. 
[0072]- The foregoing description. has. shown the en- 
capsulation of data according to the second protocol. As 
described, the data transmitter 2 encapsulates the data 
to be sent to the data receiver 3 (IP datagram) in multi- 
plexed fashion according to the first and the second pro- 
tocol. The encapsulated data are forwarded to the com- 
munication satellite 4. 

[0073] Because restrictive data transmission control 
is effected separately at two levels, i.e., at the TS packet 
level and at the section level, the second, the fifth and 
the sixth problems mentioned earlier are also resolved. 
[0074] More specifically, a large amount of informa- 
tion is secured about encryption keys while the second 
problem is bypassed, i.e., soaring transmission costs in 
keeping with a growing number of PIDs in use. 
[0075] The fifth problem, i.e., the need for each appli- 
cation to be provided with its own controlling method no 
longer applies. Newly introduced applications are 
promptly dealt with by the embodiment. 
[0076] The sixth problem is also circumvented by the 
embodiment. That is, the authentication header (AH) 
and the encapsulating security payload (ESP) are al- 
lowed to be used on the existing Internet. 
[0077] The encapsulation of IP datagrams described 
above applies when the datagrams are transmitted over 
satellite links 4a to the data receiver 3. Over the bidirec- 
tional communication channels 9, ordinary procedures 
of the I nte met are used to transmit I P datagrams without 
recourse to the specialized encapsulation. 
[0078] Below is a description of how data are encrypt- 
ed by the data transmitter 2 using encryption keys and 
how encrypted data are decrypted by the data receiver 
3 using the encryption keys (used as decryption keys). 
The data transmitter 2 and data receiver 3, constituted 
as shown in Fig. 8, are interconnected via the commu- 
nication channels depicted in Fig. 6. The data transmit- 
ter 2 transmits data to the data receiver 3 in accordance 
with the first protocol (using the section). Data transmis- 
sion according to the second protocol (using TS pack- 
ets) has been explained above with reference to the 
conventional makeup in Fig. 5. A comparison of the em- 
bodiment of Fig. 8 with the conventional setup in Fig. 5 
shows that the embodiment operates on two key levels, 
i.e., a session key Ks 24 and a master key Km 25 for 
encryption and decryption by the data transmitter and 
data receiver, whereas the conventional setup relies on 
a three-key level scheme. A saving of one key level is 



achieved by the embodiment. 

[0079] The session key Ks 24 is possessed by the da- 
ta transmitter 2 and the data receiver 3 for data encryp- 
tion and decryption under what is known as the common 

5 key cryptosystem. For differentiating purposes, the ses- 
sion key Ks possessed by the data receiver 3 is referred 
to as the session key Ks 34 hereunder. 
[0080] Using the session key Ks 24, the data trans- 
mitter 2 encrypts data to be sent to a specific data re- 

10 ceiver or receivers. The data receiver 3 decrypts en- 
crypted data received using the session key Ks 34, 
thereby extracting meaningful information out of.the de- 
crypted data. 

[0081 ] The session keys Ks 24 and 34 are updated at 
is regular intervals, e.g., daily, by the hour or by the minute. 
Even if eavesdroppers happen to know the session key 
Ks 24 at a given point in time, they can tap the data only 
for a limited period of time authorized by the key. Updat- 
ing of the session keys Ks will be discussed later in more 
20 detail. 

[0082] The session key Ks 24 is used to encrypt the 
section data part shown in Fig. 7C in accordance with 
the Tripe-DES mentioned above. 

[0083] The master key Km 25, like the session key Ks 

25 24, is possessed by both the data transmitter 2 and the 
data receiver 3. Each data receiver (3A, 3B, 3C) is as- 
signed its unique master key. For differentiating purpos- 
es, the master key Km held by the data receiver 3 is 
referred to as the master key Km 35 hereunder. 

30 [0084] The master key Ks 25 is never transmitted be- 
tween the data transmitter 2 and the data receiver 3. 
There is no occasion on which any master key would be 
placed onto the communication channels. The master 
key is an encryption key that should never be known by 

35 any means to any party except its owner. 

[0085] The master key Km is used by the data trans- 
mitter 2 to encrypt the session key Ks before transmit- 
ting it to the data receiver 3 and by the data receiver 3 
to decrypt the encrypted session key Ks received. More 

40 specifically, the data transmitter 2 encrypts the session 
key Ks 24 using the master key Km 25 and transmits 
the encrypted session key Ks 24 to the data receiver 3 
in advance. On receiving the encrypted session key Ks 
24, the data receiver 3 decrypts the received key using 

45 its own master key Km (so as to extract the session key 
Ks 34). 

[0086] The session key Ks, having undergone en- 
cryption and then decryption based on the master key 
Km, is guarded against unscrupulous tapping by poten- 

so tial eavesdroppers during transmission from the data 
transmitter 2 to the data receiver 3. 
[0087] Using the decrypted session key Ks, the data 
receiver 3 decrypts the transmitted data that have been 
encrypted by use of the session key Ks in question. The 

55 data receiver 3 extracts meaningful information out of 
the decrypted data. 

[0088] The session key Ks is encrypted and decrypt- 
ed using the master key Km in accordance with the Tri- 
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pfe-DES. Alternatively, a public key cryptosystem may 
be adopted The alternative system is advantageous in 
that unlike the encryption and decryption processes of 
data, those of keys by the system need not be carried 
out at a high speed and they also ensure security. 
[0089] Unlike the session key Ks 24, the master key 
Km 25 is not updated overtime. 

[0090] Below is a description of how the session key 
Ks 24 is updated. It is the data transmitter 2 that actively 
updates the session key Ks 24. The session key Ks 24 
encrypted by use of the master key Km 25 (called the 
encrypted session key .Km (Ks) hereunder) is actively 
transmitted by the data transmitter 2 as well. 
[0091] The use of the bidirectional communication 
channels 9 allows the data receiver 3 actively to request 
the session key Ks. In this manner, the individual data 
receivers 3a, 3b and 3c can obtain their needed session 
keys quickly and reliably from the data transmitter 3. Il- 
lustratively, fast and dependable acquisition of the ses- 
sion key Ks 24 is made possible through an active re- 
quest for the key by the data receiver in such cases as 
where a new data receiver 3 is added to the data trans- 
mission system 1 , where a data receiver 3 having been 
put out of service and recovered from a failure rejoins 
the system 1 , or where a data receiver 3 has failed to 
receive the session key Ks correctly. The recovery from 
failure and the update of session keys Ks are managed 
by CA (Conditional Access) managing units 23 and 33 
incorporated in the data transmitter 2 and the data re- 
ceiver 3 respectively. The two units 23 and 33 commu- 
nicate with each other to exchange control information 
therebetween. 

[0092] The above feature makes it possible to over- 
come the third problem mentioned earlier, i.e., the ina- 
bility of the data transmitter, in a data transmission sys- 
tem solely dependent on satellite links as communica- 
tion channels, to know whether information has been 
correctly transmitted to destination data receivers. 
[0093] The data transmitter 2 may transmit the ses- 
sion key Ks to the data receiver 3 either over the unidi- 
rectional satellite links 4a or over the bidirectional com- 
munication channels 9. 

[0094] The session key Ks is updated in steps consti- 
tuting a flowchart shown in Fig. 9. 
[0095] At a given point in time, the data receiver 3 
holds two session keys Ks 34, i.e., a session key 
Ks_even and a session key Ks_odd. The data receiver 
3 uses one of the two session keys Ks_even and 
Ks_odd in decrypting information and data sent from the 
data transmitter 2. 

[0096] Which of the two session keys Ks is currently 
used is identified by information written in the section 
header 1 03 depicted in Fig. 7D. For example, as shown 
in Fig. 10, the section header 103 comprises a table ID 
(tablejd), a MAC address part (MAC_address_1 , 
MAC_address_2, MAC_address_3, MAC_address_4, 
MAC_address_5, MAC_address_6), a section informa- 
tion part (sectionjength, section_number, 



last_section_number) ssi (section_syntax_indicator) , 
pi (private_indicator) rsvd (reserved), psc 
(payload_scramble_indicator) 111, asc 

(address_scramble_indicator) , LSf (LLC_SNAP_flag) 

5 and cni (current_next_indicator). The psc 111 indicates 
which of the two session keys Ks is currently in use. The 
psc 111 is illustratively made of two-bit information. If the 
psc high-order bit is "0," that means the session key 
Ks_even is being used; if the psc high-order bit is "V 

io that means the session key Ks_odd is now in use. 

[0097] In step S1 of Fig. 9, a check is made to see 
which of the session keys Ks is currently used. In step, ,, 
S2, the data receiver 3 is triggered by a timer into initi- 
ating a session key updating process. 

15 [0098] In step S3, the data receiver 3 updates the flag 
of the current session key Ks found in a correspondence 
table in which MAC addresses are retained in corre- 
spondence with session keys Ks. The data receiver 3 
illustratively possesses a MAC -address-to-session-key 

20 correspondence table such as is shown in Fig. 11 . A flag 
in the currently used session key Ks is updated with ref- 
erence to the table. The update operation inverts the 
high-order bit of the psc 111 to, say, "0." 
[0099] In step S4 : the data receiver 3 decrypts the IP 

2S datagram included in the section on the basis of the psc 
111. More specifically, if the psc high-order bit is set to 
"0," the data receiver 3 stops using the current session 
key Ks_odd (used when the psc high-order bit is M 1") 
and switches to the session key Ks_even for decryption. 

30 if the psc high-order bit is set to u 1 , tt the data receiver 3 
stops utilizing the current session key Ks_even (used 
when the psc high-order bit is "0") and switches to the 
session key Ks„odd for decryption. 
[0100] In step S5 and before the session key Ks is 

35 changed anew, the data transmitter 2 encrypts the next 
session key Ks using the master key Km 24 and trans- 
mits the encrypted key to the data receiver 3. 
[0101] The encrypted session key Km (Ks) is trans- 
mitted over either the satellite links 4a or the bidirection- 

40 al communication channels 9. The protocol used for the 
transmission should be one which entails acknowledg- 
ments, such as the TCP/IP (Transmission Control Pro- 
tocol/Internet Protocol): The protbcorallows the session 
key Ks to be transmitted unfailingly from the data trans- 

45 mitter 2 to the data receiver 3. 

[0102] In step S6 and while the session key transmis- 
sion is under way, the data receiver 3 updates the MAC- 
address-to-session-key correspondence table shown in 
Fig. 11 . That is, the currently used session key Ks is re- 

so placed by the next session key Ks. 

[0103] In step S7, the data receiver 3 ascertains that 
the next session key Ks is now retained by the data re- 
ceiver 3. In step S8, the data receiver 3 switches to the 
next session key Ks. Steps S8 through S13 constitute 

55 a process in which the psc high-order bit is set to "1 " so 
that the session key Ks_odd is used for decryption. The 
process is reached either from step S7, or from step S1 
if the data receiver 3 finds the current session key Ks to 
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be the session key Ks_even (psc high-order bit: 0). 
[0104] By carrying out the steps above, the data trans- 
mitter 2 feeds the data receiver 3 with session keys Ks 
that are updated reliably. The data receiver 3 switches 
its two session keys Ks instantaneously so that there 
will be no discontinuation of data decryption based on 
the currently effective session key Ks. The updating fre- 
quency of the session key Ks 24 may be varied flexibly 
depending on the duration of transmission processing. 
[0105] The session key Ks is updated regularly inside 
the data receiver 3 as described above. Using the ses- 
sion key Ks thus updated, the.data, receiver & decrypts, 
information and data which are sent in along with the 
key. 

[01 06] Described below are steps to be performed by 
the data transmitter 2 before sending data, and steps to 
be carried out by the data receiver 3 after receiving data. 
The steps that the data transmitter 2 performs before 
transmitting data are shown illustratively in a flowchart 
of Fig. 1 2. The steps to be conducted by the data receiv- 
er 3 upon receipt of data are indicated illustratively in a 
flowchart of Fig. 14. 

[0107] In step S21 of Fig. 12, the data transmitter 2 
receives an IP datagram to be sent to the data receiver 
3 either from the transmitter 2 itself or from an interface 
that is connected to the bidirectional communication 
channels 9. The data transmitter 2 also receives infor- 
mation from an information center on the basis of access 
information from the Internet 6. 

[0108] In step S22, the data transmitter 2 checks a 
destination address part of the IP datagram to know a 
destination address based on the first protocol. For ex- 
ample, the data transmitter 2 finds out the destination 
address of the data receiver 3 according to the first pro- 
tocol by referring to an IP-address-to-MAC-address cor- 
respondence table such as one shown in Fig. 13, the 
table being retained by the data transmitter 2. 
[0109] With the destination address thus found out, 
the data transmitter 2 creates a section in accordance 
with the destination address. At this point, the data 
transmitter 2 provides the data part with bit "1 n padding 
as needed so that the data part will become a multiple 
of 64 bits. 

[01 10] In step S23, the data transmitter 2 extracts the 
currently used session key Ks 24 by checking a flag 1 1 2 
of that key Ks in a MAC -address-to-session key corre- 
spondence table such as one shown in Fig. 11. Using 
the session key Ks thus extracted, the data transmitter 
2 encrypts the data part of the section as shown in Fig. 
7C. At this point, the data transmitter 2 checks the flag 
of the current session key Ks and sets the flag content 
to the high-order bit of the psc 1 1 1 in the session header 
shown in Fig. 11 . 

[0111] In step S24, the data transmitter 2 divides the 
entire section 109 into payload parts P of TS packets 
106, 107 and 108 as shown in Figs. 7E through 7G. The 
TS packets 106, 107 and 108 are supplemented with a 
predetermined PID each. The payload P is encrypted 



as required by the second protocol before being output 
onto the satellite links 4a. 

[0112] The foregoing description has shown the steps 
in which the data transmitter 2 makes preparations prior 
s to data transmission. The data transmitter 3, having re- 
ceived the data over the satellite links 4a, carries out the 
steps described below. 

[0113] In step S31 of Fig. 14, the data receiver 3 de- 
crypts the TS packets 106, 107 and 108 received over 
to the satellite links 4a so as to reconstruct the entire sec- 
tion 109 therefrom. 

[0114] In step S32, the data receiver 3 extracts. the 
destination address (i.e., MAC address) of the section. 
In step S33, the data receiver 3 checks to see if the MAC 
* 5 address is found in a MAC-address-to-session-key cor- 
respondence table shown in Fig. 15. That is : a check is 
made to see if the section contains data that the data 
receiver 3 is authorized to receive. If no MAC address 
is found in step S33, the data receiver 3 goes to step 
S34 and discards the data. If a MAC address is detect- 
ed, the data receiver 3 reaches step S35 in which the 
psc 111 shown in Fig. 10 is extracted from the section 
header 103. The data receiver 3 checks the high-order 
bit of the psc 111 to see which of the two session keys 
Ks is currently effective, and the effective session key 
Ks is selected. 

[01 15] In step S36, the data receiver 3 decrypts the 
section data 104 using the retrieved session key Ks in 
accordance with the Triple-DES. In step S37, the data 
receiver 3 extracts the IP datagram from the decrypted 
data. Illustratively, the data receiver 3 reads a total 
length field 113 (in Fig. 16) from the IP header prefixed 
to the decrypted data part, finds out the length of the IP 
datagram from the field 113, and extracts the entire IP 
datagram calculated accordingly. In the process, the ex- 
cess padding attached upon encryption is removed so 
that the target IP datagram is extracted intact. 
[0116] By carrying out the steps described above, the 
data transmitter 2 performs necessary processing prior 
to data transmission and the data receiver 3 conducts 
procedures associated with the received data. The data 
receiver 3 thus accepts the information and data that 
have been addressed thereto. 

[0117] The data transmission system 1 constituted as 
described above is capable of resolving the convention- 
ally experienced problems mentioned earlier. 
[0118] Variations of the data transmission system 1 
may be made alternatively. Fig. 1 7 shows a data trans- 
mission system 201 , a first variation of the system 1 . 
The data transmission system 201 is characterized in 
that the data receiver 3 is furnished as an IP router. 
[0119] The data transmission system 1 is shown hav- 
ing the data receiver 3a receive IP datagrams directly. 
By contrast, the data transmission system 201 has its 
data receiver 3a structured as an IP router. This setup 
allows the data received by the data receiver 3a from 
the satellite links 4a to be transferred to computers 203a 
and 203b which are not interfaced to the satellite links 
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4a, the computers 203a and 203b being connected to 
the data receiver 3a over a local area network (LAN) 
202 such as the Ethernet. In this case, the data trans- 
mitter 2 and the data receiver 3a may provide restrictive 
data reception control over not only the data receiver 3a 
but also all computers 203a and 203b on the local area 
network 202 connected to the data receiver 3a. More 
specifically, inside the correspondence table of Fig. 1 3 
in which IP addresses of the data transmitter 2 are set 
in correspondence with section destination addresses 
(MAC addresses), individual IP addresses are replaced 
with IP network addresses each representing a set of a 
plurality of IP addresses. To effect restrictive data trans- 
mission control between the data receiver 3a on one 
hand and the computers 203a and 203b on the other 
hand requires implementing restrictive data transmis- 
sion control measures at the level of either the IP pro- 
tocol or of applications of higher orders. That is because 
data transmission in the data transmission system 201 
is carried out over the satellite links 4a only. 
[0120] A data transmission system 301 , a second var- 
iation of the system 1 , is sketched in Fig. 18. In the data 
transmission system 301, the data receiver 3a is struc- 
tured as a bridge that solely performs protocol conver- 
sion in forwarding IP datagrams. The data transmission 
system 301 differs from the system 201 in that the sys- 
tem 301 does not conduct routing. 
[0121] The data receiver 3a decrypts data received 
over the satellite links 4a to extract an IP datagram 
therefrom. The extracted IP datagram is placed in an 
Ethernet frame and transferred to a general-purpose 
router 302. In turn, the router 302 performs ordinary 
processing on the IP datagram. With no need to effect 
routing on its own, the data receiver 3a is structured sim- 
ply and used in conjunction with a general-purpose rout- 
er. 

[0122] Many different embodiments of this invention 
may be made without departing from the spirit and 
scope of the invention. It is to be understood that the 
invention is not limited to the specific illustrative embod- 
iments described hereinabove. 



Claims 

1 . A data transmission controlling method for control- 
ling transmission of data from data transmitting 
means to data receiving means over communica- 
tion channels, said data transmission controlling 
method comprising the steps of: 

transmitting data encrypted by said data trans- 
mitting means to said data receiving means 
over a first communication channel provided for 
data transmission from said data transmitting 
means to said data receiving means; and 
transmitting to said data receiving means re- 
strictive data transmission control information 



for causing the encrypted data to be received 
solely by specific data receiving means at least 
over a second communication channel which, 
having a smaller capacity of data transmission 
5 than said first communication channel, is also 

used for data transmission from said data re- 
ceiving means to said data transmitting means. 

2. A data transmission controlling method according 
10 to claim 1, wherein said second communication 
channel is a communication channel permitting bi- 
directional communication between said data trans- 
mitting means and said data receiving means. 

15 3. a data transmission controlling method according 
to claim 1, wherein said data transmitting means 
performs data encryption using an encryption key 
and wherein said encrypted data from said data 
transmitting means are decrypted by said data re- 

20 ceiving means utilizing a decryption key identical to 
said encryption key used in the data encryption. 

4. A data transmission controlling method according 
to claim 3, wherein said encryption key and said de- 

2S cryption key are session keys for encrypting and de- 
crypting information and data. 

5. A data transmission controlling method according 
to claim 4, wherein said session keys are updated 

30 at predetermined intervals 

6. A data transmission controlling method according 
to claim 4, wherein said data transmitting means 
and said data receiving means have a master key 

35 specific to said data receiving means; 

wherein said data transmitting means encrypts 
said session keys using said master key and 
transmits the encrypted session keys to said 
40 data receiving means over either said first com- 

munication channel or said second communi- 
cation channel; and 

wherein said^data* receiving means decrypts 
said encrypted session keys received using 
45 said master key. 

7. A data transmission controlling method according 
to claim 6, wherein said data transmitting means 
possesses said session keys corresponding to all 

50 data receiving means authorized to receive specific 
information and data; and 

wherein said data transmitting means transmits 
in advance said session keys to said data re- 
55 ceiving means authorized to receive specific in- 

formation and data. 

8. A data transmission controlling method according 
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to claim 1 , wherein said first communication chan- 
nel is a satellite link permitting unidirectional com- 
munication from said data transmitting means to 
said data receiving means; and 

wherein said second communication channel is 
a communication channel permitting bidirec- 
tional communication between said data trans- 
mitting means and said data receiving means. 

9. A data transmission controlling method according 
to claim .1, wherein said, data receiving.means is 
constituted as an IP router. 

10. A data transmission controlling method according 
to claim 1 , wherein said data receiving means is 
constituted as a bridge. 

11. A data transmission system comprising: 

data transmitting means for encrypting data 
and transmitting the encrypted data; 
data receiving means for receiving said en- 
crypted data from said data transmitting 
means; 

a first communication channel used for data 
transmission from said data transmitting means 
to said data receiving means; and 
a second communication channel which is also 
used for data transmission from data receiving 
means to said data transmitting, means and 
which has a smaller capacity of data transmis- 
sion than said first communication channel; 
wherein said first communication channel is 
used to transmit said encrypted data; and 
wherein at least said second communication 
channel is used to transmit restrictive data 
transmission control information for causing 
said encrypted data to be received solely by 
specific data receiving means. 

12. A data transmission system according to claim 11, 
wherein said data transmitting means performs da- 
ta encryption using an encryption key and wherein 
said encrypted data from said data transmitting 
means are decrypted by said data receiving means 
utilizing a decryption key identical to said encryption 
key used in the data encryption. 

13. A data transmission system according to claim 12, 
wherein said encryption key and said decryption 
key are session keys for encrypting and decrypting 
information and data. 

14. A data transmission system according to claim 13, 
wherein said session keys are updated at predeter- 
mined intervals. 



15. A data transmission system according to claim 13, 
wherein said data transmitting means and said data 
receiving means have a master key specific to said 
data receiving means: 

5 

wherein said data transmitting means encrypts 
said session keys using said master key and 
transmits the encrypted session keys to said 
data receiving means over either said first com- 
10 munication channel or said second communi- 

cation channel; and 

wherein said data, receiving.means decrypts., 
said encrypted session keys received using 
said master key. 

15 

16. A data transmission system according to claim 15, 
wherein said data transmitting means possesses 
said session keys corresponding to all data receiv- 
ing means authorized to receive specific informa- 
nt* tion and data; and 

wherein said data transmitting means transmits 
in advance said session keys to said data re- 
ceiving means authorized to receive specific in- 
25 formation and data. 

17. A data transmission system according to claim 11 , 
wherein said first communication channel is a sat- 
ellite link permitting unidirectional communication 

30 from said data transmitting means to said data re- 
ceiving means. 

18. A data transmission system according to claim 11, 
wherein said data receiving means is constituted as 

35 an IP router. 

19. A data transmission system according to claim 11 , 
wherein said data receiving means is constituted as 
a bridge. 

40 

20. A data transmission controlling method for control- 
ling transmission of data from data transmitting 
means to data receiving means over communica- 
tion channels and for causing said data transmitting 

45 means to encrypt data and transmit the encrypted 
data to said data receiving means over said com- 
munication channels, said data transmission con- 
trolling method comprising the steps of: 

50 encapsulating the data to be transmitted in mul- 

tiplexed fashion in accordance with a plurality 
of protocols; and 

encrypting at least one of data capsules result- 
ing from the encapsulation. 
55 - 

21. A data transmission controlling method according 
to claim 20, wherein the data encapsulating step in- 
cludes: 
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a first encapsulating step for encapsulating the 
data to be transmitted to said data receiving 
means in accordance with a first protocol; and 
a second encapsulating step for further encap- 
sulating the encapsulated data from said first 
encapsulating step in accordance with a sec- 
ond protocol; 

wherein said first encapsulating step supple- 
ments a real data part including said data to be 
transmitted to said data receiving means with 
an additional information part associated with 
said real data part, said first encapsulating step 
further encrypting said real data part. 

22. A data transmission controlling method according 
to claim 21 , wherein said additional information part 

s. includes destination address information identifying 
i the data receiving means authorized to receive data 
"■ included in said real data part. 

23. A data transmission controlling method according 
to claim 22, wherein said destination address infor- 
mation is either individual or group destination ad- 
dress information. 

24. A data transmission controlling method according 
to claim 22, wherein said data transmitting means 
possesses session keys corresponding to said des- 
tination address information, said session keys be- 
ing used by said data transmitting means to encrypt 
information and data and by said receiving means 
to decrypt the encrypted information and data re- 
ceived; and 

wherein said data transmitting means transmits 
in advance said session keys to the data receiv- 
ing means authorized to receive the transmitted 
information and data in accordance with said 
destination address information. 

25. A data transmission controlling method according 
to claim 24, wherein said session keys are updated 
at predetermined intervals. 

26. A data transmission controlling method according 
to claim 24, wherein said session keys are transmit- 
ted over a communication channel permitting either 
unidirectional communication from said data trans- 
mitting means to said data receiving means or bidi- 
rectional communication therebetween. 

27. A data transmission controlling method according 
to claim 21, wherein said first encapsulating step 
uniquely determines how said destination address 
information attached to said real data part is stored 
into said additional information part, said first en- 
capsulating step further encrypting said real data 
part using a master key specific to the data receiv- 



ing means corresponding to said destination ad- 
dress information. 

28. A data transmission controlling method according 
5 to claim 22, wherein said additional information part 

provides a 48-bit space in which to accommodate 
said destination address information. 

29. A data transmission controlling method according 
10 to claim 21, wherein said first encapsulating step 

encapsulates the data to be transmitted to said data 
receiving means in accordance, with ^either the In- 
ternet protocol or the Ethernet protocol. 

15 30. A data transmission controlling method according 
to claim 20, wherein said data receiving means is 
constituted as an IP router. 

31. A data transmission controlling method according 
20 to claim 20, wherein said data receiving means is 

constituted as a bridge. 

32. A data transmission controlling method for control- 
ling transmission of data from data transmitting 

2S means to data receiving means over communica- 

tion channels and for causing said data transmitting 
means to encrypt data and transmit the encrypted 
data to said data receiving means over said com- 
munication channels, said data transmission con- 
30 trolling method comprising the steps of: 

encrypting data using an encryption key; 
supplementing the encrypted data with encryp- 
tion key information about said encryption key; 
35 transmitting said encrypted data together with 

said encryption key information from said data 
transmitting means to said data receiving 
means; and 

decrypting said encrypted data using one of a 
40 plurality of decryption keys which allow said da- 

ta receiving means to decrypt said encrypted 
data and which are updated frequently, said 
one of the decryption keys being selected in ac- 
cordance with said encryption key information 
45 attached to said encrypted data. 

33. A data transmission controlling method according 
to claim 32, wherein said plurality of decryption keys 
include a decryption key which is currently usable 

50 for decrypting said encrypted data received, and a 
decryption key which is to be used next to decrypt 
said encrypted data received; and 

wherein said data decrypting step selects the 
55 currently usable decryption key based on said 

encryption key information. 

34. A data transmission controlling method according 
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to claim 33, wherein said encryption key and said 
decryption keys are session keys for encrypting in- 
formation and data. 

35. A data transmission controlling method according s 
to claim 34, wherein said session keys are updated 

at predetermined intervals. 

36. A data transmission controlling method according 

to claim 32, wherein said data receiving means is 10 
constituted as an IP router. 

37. A data transmission controlling method according 
to claim 32, wherein said data receiving means is 
constituted as a bridge. 75 



20 



25 



30 



35 



40 



45 



50 



55 



14 

BNSDOCID: <EP 0957606A2_I_> 



EP 0 957 606 A2 




O 
or 
o 



cd 



CD 

B 
cd 



CD 

% 



CD 
OL 



o 



CD </> 
O <D 



cd W5 

•c to 

-— CD 

+-> u. 
CO -O 
CD-O 



CM 



£ 
cd 

CD 



BNSDOCID: <EP 0957606A2J_> 



15 



EP 0 957 606 A2 




BNSDOCID: <EP 0957606A2_I_> 



16 



EP 0 957 606 A2 



ro 



• 



si 

-JLL 

-a: — 
a. ^ 



CO 



0 > 

o — 



58 



X 

GO 



C/1 



<z o 
h-o a: 
a ih- 

<UJZ 
Q — O 
<ULO 



CQO 
COO 



-a 



o 
a. 



CO 



g £ 

Q_ 1 

oo uj or 



— o 



ceo 



I 

o 
or < 



o — LU 

^ >- 

en z co 



oo 



CO 



co 



17 

BNSDOCID: <EP 0957606A2J_> 



EP 0 957 606 A2 



o<< 
<>o 



O- 



Ql- 
UJC/0 

K< 

Q.O . 
>-Q— ! 
QC<< 
OO f 2 

zccS2 

LUCCO) 



2 




o 




1- 








> 


cr 




o 






z: 


UJZ) 



rO 

to 



-o 
in 




O 

h- 
CL 

St 

zz 

UJZJ 



o 
m 

\ 



I- 

Q. 

St 

LUZD 




o<< 



in 
o 
m 



a)— 

GOV 
UJLU 

cn it: 



hjQ 

oi-P 
a_<f= 



Ouj 
.5* 



< 

h- 

§! 



O 
1- 
< 

QC 
O 



18 



EP 0 957 606 A2 



o 
ro 


ro 


ro 

s 


... cr 




..... QC 






ID 




LU 




LU 


> 




> 




> 






<LU 




<LU 


h-o 




HO 




HO 


<ID 




<UJ 




<LD 






Q(T 




OCT 



CD 
CD 




BNSDOCID: <EP 0957606A2J_> 



19 



EP 0 957 606 A2 




< 


m 


o 


Q 


LlI 


Ll 


CD 


• 






• 


I s - 


• 




CD 


• 


« 

o 




<S> 


CD 


CD 


Ll 






Ll 


Ll 


Ll 


Ll 



20 

BNSDOCID: <EP 0957606A2J_> 



EP 0 957 606 A2 



< 



ro- 




00 
L±_ 



Q 
LU 

H 
Q_ 

> 

z< 

LU O 



Q 
LU 

tz 
a: go 

ZLULU 

Luooi*: 



LU O 2 

> w 9 

J— CO ,|— 

9 Io< 
en coor^ 

G0|-<2P 
CC Q | — o _ 










a 




z: 




a 




< 








< 

















21 



BNSDOCID: <EP 0957606A2_I_> 



EP 0 957 606 A2 



dlART) F I G .9 



IS CURRENT SESSION \ NO 



\KEY Ks_odd( P sc: 1)? / 




-». 






YES 






C S8 




r 






A SESSION KEY UPDATING' 
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THE FLAG OF THE CURRENT 
SESSION KEY Ks IS SET TO 
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ENCRYPTS THE SESSION 
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